Live streaming adult site leaves 7 terabytes of private data exposed

Our security research team, led by Anurag Sen, has discovered a significant data leak stretching into billions of records at adult live-streaming website CAM4.com, belonging to Irish company Granity Entertainment.

The server’s database size exceeded 7 terabytes with production logs dating from 16 March 2020 and increasing daily.

The unsecured Elastic Search database included a significant amount of both user and company information with the vast majority of email data records referring to users in the US.

The Ireland-based company was immediately contacted and the server was secured shortly afterwards.

Who is CAM4?

CAM4 is a live streaming “cam model” website providing explicit content intended only for adults.

CAM4 is predominantly used by amateur webcam performers with site customers able to purchase virtual tokens that can be used to tip performers or watch private shows.

According to news reports, CAM4 has paid out more than US$100 million in performer commissions since its inception in 2007.

Surecom Corp connection

After reaching out to CAM4.com directly, our security team received a prompt response and also advised us to inform another company called Smart-X.net.

Upon further investigation, our team discovered that both domains (CAM4.com and Smart-X.net) are owned by parent company Surecom Corp.

What was leaked?

Number of records leaked:

10.88 billion including personally identifiable information (PII)

Number of customers/users affected:

Unknown

Server size:

7 terabytes

Server location:

Netherlands, hosted by Mojohost B.v

Company location:

Ireland (also registered in other jurisdictions)

According to the research team, millions of PII entries were available for public view without adequate security measures, including:

The email count exceeded several million although the exact number could not be accurately gauged because of multiple entries.

According to the research team, a large volume of emails was sourced from major email domains such as gmail.com, icloud.com and hotmail.com.

However, many pieces of private information were not available while password fields were masked in the instances seen by our investigators.

Database contained user activity and login dates for public view

In total, around 11 million records contained emails with some entries containing multiple email addresses relating to users from multiple countries. Our team managed to obtain a broad-based country-by-country view of exposed email records, although not all countries are listed.

US, Brazilian and Italian users were the most heavily affected although the precise number of email records is difficult to gauge accurately due to multiple entries being duplicated. As expected, countries such as the UAE, Saudi Arabia and Iran all had zero entries given the fact that these countries ban adult content domestically.

The security team also discovered 26,392,701 entries with passwords hashes with a proportion of hashes belonging to CAM4.com users and some from website system resources.

Altogether, a “few hundred entries” revealed full names, credit card types and payment amounts. The combination of all three is a critical aspect — as opposed to having limited access to just payment amounts without full names — because in unison they create a far greater security risk compared to just one or two information points in isolation.

According to the investigation carried out by our security team, it is unclear to whom the various information refers to – either content providers or content viewers. However, it may be the case that all users have the option to post videos if they choose.

Purchase details with email

Data Breach Impact

From the large number of discovered records and the type of information available, several negative outcomes are at risk of occurring including identity theft, phishing scams, website attacks and blackmail.

Full names, emails, and password hashes could also be used to identity users’ real identity and commit various types of deception and fraud.

User emails could be targeted with leaked data then used maliciously to trigger clicks with phishing and malware scams deployed against unsuspecting targets.

The fact that a large amount of email content came from popular domains such as Gmail, Hotmail and iCloud — domains that offer supplementary services such as cloud-storage and business tools — means that compromised CAM4 users could potentially see huge volumes of personal data including photographs, videos and related business information leaked to hackers — assuming their accounts were eventually hacked via phishing as one example.

This information could then be weaponized to compromise other individuals and groups such as family members, colleagues, employees and clients of other businesses.

The availability of fraud detection logs enables hackers to better understand how cybersecurity systems have been set up and could be used as an ideal verification tool for malicious hackers, as well as, enabling a greater level of server penetration.

Moreover, website backend data could be harnessed to exploit the website and create threats including ransomware attacks.

Possibly the greatest risk in both financial and reputational respects is the risk of blackmail scams that could be deployed against users who believe they are anonymous when sharing compromising data and content.

Preventing Data Exposure

How can you prevent your personal information from being exposed in a data leak and ensure that you are not a victim of attacks – cyber or real-world – if it is leaked?

Be cautious of what information you give out and to whom

Check that the website you are on is secure (look for https and/or a closed lock)

Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)